diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/config/_default/security.toml | 13 | ||||
-rw-r--r-- | docs/content/en/about/security-model/index.md | 21 | ||||
-rw-r--r-- | docs/content/en/getting-started/configuration.md | 4 | ||||
-rw-r--r-- | docs/data/docs.json | 37 |
4 files changed, 71 insertions, 4 deletions
diff --git a/docs/config/_default/security.toml b/docs/config/_default/security.toml new file mode 100644 index 000000000..73af66164 --- /dev/null +++ b/docs/config/_default/security.toml @@ -0,0 +1,13 @@ + + enableInlineShortcodes = false + + [exec] + allow = ['^go$'] + osEnv = ['^PATH$'] + + [funcs] + getenv = ['^HUGO_', '^REPOSITORY_URL$'] + + [http] + methods = ['(?i)GET|POST'] + urls = ['.*']
\ No newline at end of file diff --git a/docs/content/en/about/security-model/index.md b/docs/content/en/about/security-model/index.md index 7a7841131..aed925d49 100644 --- a/docs/content/en/about/security-model/index.md +++ b/docs/content/en/about/security-model/index.md @@ -21,14 +21,29 @@ Hugo produces static output, so once built, the runtime is the browser (assuming But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/). -**Hugo's main approach is that of sandboxing:** +**Hugo's main approach is that of sandboxing and a security policy with strict defaults:** * Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root. * Only the main project can walk symbolic links. * User-defined components have only read-access to the filesystem. -* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined. General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns. +* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined and disabled by default (see [Security Policy](#security-policy)). General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns. -Hugo will soon introduce a concept of _Content Source Plugins_ (AKA _Pages from Data_), but the above will still hold true. + +## Security Policy + +{{< new-in "0.91.0" >}} + +Hugo has a built-in security policy that restricts access to [os/exec](https://pkg.go.dev/os/exec), remote communication and similar. + +The defdault configuration is listed below. And build using features not whitelisted in the security policy will faill with a detailed message about what needs to be done. Most of these settings are whitelists (string or slice, [Regular Expressions](https://pkg.go.dev/regexp) or `none` which matches nothing). + +{{< code-toggle config="security" />}} + +Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data: + +``` +HUGO_SECURITY_HTTP_URLS=none hugo +``` ## Dependency Security diff --git a/docs/content/en/getting-started/configuration.md b/docs/content/en/getting-started/configuration.md index 0f48c39e3..2123558d9 100644 --- a/docs/content/en/getting-started/configuration.md +++ b/docs/content/en/getting-started/configuration.md @@ -381,6 +381,10 @@ Maximum number of items in the RSS feed. ### sectionPagesMenu See ["Section Menu for Lazy Bloggers"](/templates/menu-templates/#section-menu-for-lazy-bloggers). +### security + +See [Security Policy](/about/security-model/#security-policy) + ### sitemap Default [sitemap configuration](/templates/sitemap-template/#configure-sitemapxml). diff --git a/docs/data/docs.json b/docs/data/docs.json index 70a2eafb4..8f8950dc4 100644 --- a/docs/data/docs.json +++ b/docs/data/docs.json @@ -1775,9 +1775,15 @@ "permalinks": { "_merge": "none" }, + "privacy": { + "_merge": "none" + }, "related": { "_merge": "none" }, + "security": { + "_merge": "none" + }, "sitemap": { "_merge": "none" }, @@ -1822,6 +1828,32 @@ "keepWhitespace": false } } + }, + "security": { + "enableInlineShortcodes": false, + "exec": { + "allow": [ + "^go$", + "^npx$", + "^postcss$" + ], + "osEnv": [ + "(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$" + ] + }, + "funcs": { + "getenv": [ + "^HUGO_" + ] + }, + "http": { + "methods": [ + "(?i)GET|POST" + ], + "urls": [ + ".*" + ] + } } }, "media": { @@ -1966,7 +1998,10 @@ "string": "image/jpeg", "suffixes": [ "jpg", - "jpeg" + "jpeg", + "jpe", + "jif", + "jfif" ] }, { |